Data privacy
The terms and conditions of the European General Data Protection Regulation GDPR are not in contradiction to the PSD2 requirements on Strong Customer Authentication. Neither are they to the 3D Secure 2 authentication protocol. They rather provide a legal framework for processing authentication data in a secure and protective manner. This means that GDPR compliance is a prerequisite to meet the PSD2/3D-Secure requirements.
Merchants can decide on what optional and conditional data are to be sent to the issuer for risk scoring purposes. It is key that cardholders will be informed in the privacy policy or GBT about the purpose of the processing for which the optional data are intended. Many of the data points being processed are about personal data according to GDPR. Thus, the processing of such data has to meet the requirements of GDPR.
The responsibility for the processing of biometric (e.g. fingerprints, retina) or any other highly sensitive data resides with the issuer. No further actions has to be taken in this regards.
Updated over 5 years ago